How to get CVSS right

1 2 Page 2
Page 2 of 2

To fix that, the CVSS calculator lets you refine the CVSS base score as you see fit for your organization. But my experience is that most organizations will use the standard CVSS weights that the vendor defined rather than customizing it for themselves. The truth is that each organization needs to determine its own weights and values rather than rely on best practices. If that’s too much to undertake, then it should start with customizing the temporal and environmental factors as directed in the CVSS standard, and then it can worry about evaluating the weights later.

Getting CVSS right

CVSS can be a powerful tool that can provide a lot of value, and for those needing a quick, dirty, and generally effective rough scoring mechanism for vulnerabilities, it certainly fits the bill. But quick and dirty information security should be the rare exception rather than the rule. Vulnerability management should be customized for each organization. Generic best practices may work, but they won’t be optimized.

With that, consider the following in order to make CVSS usage more effective:

  • understand the organization’s approach to risk. Only then it is possible to make sense of CVSS and tie it into a vulnerability management program.
  • determine the organization’s loss exposure. Ultimately the resources and impact associated with patching and fixing deficiencies have to be justified by its reduction on loss exposure – not just whether it’s the worst deficiency. Focus on business impact. For example, an easily exploitable vulnerability found on a web-facing system with access to sensitive data should probably be handled more urgently than the same vulnerability found internally with no external exposure and only limited, if any, internal exposure.
  • it’s critical that the organization does not rely on generic CVSS results; rather, customize the temporal and environmental factors in order to get a complete score.
  • what if the company has a vulnerability with a high CVSS score with no exploit for it, but also another vulnerability with a lower CVSS score that does have an exploit. Which takes preference?

The more an organization can customize CVSS to its vulnerability management program, the better it will be. With the CVSS, mileage may indeed vary. CVSS ‘off the shelf’ is OK, but with limited mileage. CVSS ‘customized’ is useful and will allow companies to maximize their mileage as best they can.

Ben Rothke CISSP is a Senior eGRC Consultant with Nettitude, Inc. and the author of Computer Security: 20 Things Every Employee Should Know.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Make your voice heard. Share your experience in CSO's Security Priorities Study.